Sharing Cyberthreat Information With Competitors
In this inter-connected world, a cyberthreat to your competitor can quickly become a problem for your own company. Wouldn't it be great if you could share information with each other about cyberthreats, so that you would both be better off in the long run?
"You want to do what with our competitor?" is likely the incredulous question that many compliance officers and in-house lawyers alike will pose when hearing about any sort of proposed collaboration with a competitor. And for good reason. Antitrust laws strictly prohibit companies from collaborating with each other if the result might be anti-competitive--such as raising prices or restricting output.
But what if the companies want to share information about the latest computer virus? Does that violate the antitrust laws? In a recent joint announcement, the federal antitrust enforcers emphasized that the answer is typically "no."
In a joint announcement on April 10, the U.S. Department of Justice (DOJ) and the Federal Trade Commission (FTC) attempted to make clear that the antitrust laws should not be "a roadblock to legitimate cybersecurity information sharing."1 The head of the DOJ Antitrust Division called the announcement an "antitrust no-brainer."
The agencies have long had guidelines regarding collaboration between competitors, which emphasize that collaboration is not necessarily anti-competitive.2 These guidelines take into account the business purpose for the sharing, the type of information shared, and the context in which the sharing takes place. Notably, antitrust concerns can arise regardless of whether companies share information directly, or through a common vehicle like a trade association.
Cyberthreat information is typically very technical in nature. For example, sharing the "threat signature" of potential malware, or the source IP address of a cyber attack, does not likely involve information that could be used for anti-competitive means. In fact, to the contrary, sharing this information can increase economic efficiencies by helping secure our nation’s IT infrastructure.
Many companies routinely share cyberthreat information already.3 Before the announcement by the DOJ and FTC, however, some companies were leery about the antitrust ramifications of such overt exchange of technical information with competitors. The joint announcement by DOJ and the FTC attempted to put those fears to rest.
But the agencies were careful not to grant blanket immunity for such conduct. Indeed, the last part of the announcement is this simple footnote: "Of course, if an information sharing arrangement is being used as a cover to fix prices, allocate markets, or otherwise limit competition, antitrust issues could arise." For this reason, companies would be wise to implement strict procedures governing what sort of information their IT professionals can—and cannot—share with peers at other companies.
1 U.S. DEPT. OF JUSTICE & FED. TRADE COMM’N, ANTITRUST POLICY STATEMENT ON SHARING OF
CYBERSECURITY INFORMATION (2014), available at http://www.justice.gov/atr/public/guidelines/305027.pdf.
2 U.S. DEPT’ OF JUSTICE & FED. TRADE COMM’N, ANTITRUST GUIDELINES FOR COLLABORATIONS
AMONG COMPETITORS (2000), available at http://www.ftc.gov/os/2000/04/ftcdojguidelines.pdf.
3 Some industries have established “Information Sharing Analysis Centers” (ISACs) to share cybersecurity
information. See http://www.isaccouncil.org.